Building a sensible security strategy

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

So what is a sensible strategy? At its essence, a strategy is a plan broken down into short-term tactical actions, medium-term planned activities and long-term direction.

A few things to consider when developing your strategy:

Visibility

Do you understand your organisation's risk profile?

What are your assets, threats, vulnerabilities and security controls? Do you have adequate tools to provide situational awareness?

Actions that could improve visibility can include; installing a free log server product from a security information and event management (SIEM) vendor, starting a risk register, performing an inventory of public facing websites, commissioning a penetration test, procuring a vulnerability management solution or Host Based Intrusion Prevention technology.

Resources and Structure

Does your organisation have people allocated to the required operations and governance functions?

Are the activities they undertake aligned with the risk profile? Are activities being undertaken to secure the most important business processes and the applications that support them — as well as standard "best practices".

Business Alignment

What are the business's strategic plans?

Replacing the core application for the main business process? Expanding to Asia? What is the security function doing to help make this happen?

A sensible strategy might (for example) include up-skilling and recruiting personnel to help secure the new core application, or perhaps building a methodology for due diligence and on boarding new business acquisitions.

Security Controls Improvement

The risk profile generally can be improved by the improvement of existing controls — or the introduction of new ones. Controls can be improved by testing them, documenting them, and training the personnel who will administer them.

Budget

Is the current budget adequate for the required activities?

What are you doing to secure additional funding? Or what are you doing to ensure stakeholders are aware of the risk profile resulting from budget restrictions.

Marketing

Have you identified the key stakeholders you need to buy in to the strategy for it to succeed?

What can you add on to a request to "sweeten the deal"? Do you have an inconsequential "sacrificial lamb" to offer up if cuts are enforced?

Hopefully this helps you move beyond "buzzword compliance".

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: strategy

Show Comments